Document automatic HTTPS #1001

xhochy · 2019-11-14T07:37:02Z

There is a lot of unofficial, mostly outdated information in Github issues on how to setup HTTPS for a binderhub. This is the way I got it working and would love to have it included in the documentation for clarity.

betatim · 2019-11-14T22:05:02Z

Thanks a lot for doing this! It has been a neglected area of the docs.

I like that the steps build on the existing docs. For mybinder.org we've created a chart that depends on the binderhub, kubelego and nginx-ingress charts. This means everything there is slightly different from what is described in the guide here.

Should we add a note about using helm or not to install certmanager? I don't know which way is better but if we have some information on how to choose it would be useful for readers. My naive assumption when starting to read was that the instructions would be following https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html#installing-with-helm and that guess turned out to be wrong :D

Other than this question there are a few nits but I think this can be merged (restarted the CI builds and will check why they are unhappy if they fail again).

doc/https.rst

betatim · 2019-11-14T22:09:32Z

doc/https.rst

+   and retrieve the assigned IP using ``gcloud compute addresses list``.
+2. Buy a domain name from a registrar. Pick whichever one you want.
+3. Set A records to your above retrieved external IP, one for Binder and
+   one for JupyterHub. We need two distinct subdomains for the routing to


What about adding something like: "We suggest you use hub.binder.<domain> for JupyterHub and binder.<domain> for your BinderHub. Once you are done your BinderHub will be available at https://binder.<domain>"? To give people an idea what to name stuff and which of these URLs users will end up having to type.

doc/https.rst

betatim · 2019-11-14T22:13:59Z

doc/https.rst

+            enabled: true
+            type: nginx
+        tls:
+           - secretName: <jupyterhub-URL>-tls


Can you use dots . in secret names?

You can but I think it is not seen as a good practice. Would the following, longer version work better?

Suggested change

- secretName: <jupyterhub-URL>-tls

- secretName: <jupyterhub-URL-with-dashes-instead-of-dots>-tls

Looks good to me. Can't commit the suggestion so you have to do it unfortunately

Co-Authored-By: Tim Head <betatim@gmail.com>

xhochy · 2019-11-15T17:38:28Z

Thanks a lot for doing this! It has been a neglected area of the docs.

I like that the steps build on the existing docs. For mybinder.org we've created a chart that depends on the binderhub, kubelego and nginx-ingress charts. This means everything there is slightly different from what is described in the guide here.

It would probably make sense to have this as a public helm chart; maybe exchange kube-lego with cert-manager as the latter is considered the successor of the first.

Should we add a note about using helm or not to install certmanager? I don't know which way is better but if we have some information on how to choose it would be useful for readers. My naive assumption when starting to read was that the instructions would be following https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html#installing-with-helm and that guess turned out to be wrong :D

I documented the way I got it working, we can work on improving that. I will have a look at using the helm chart also for cert-manager.

betatim · 2019-11-15T18:35:20Z

Sounds good.

Do you want to work on the two non-resolved comments or should we merge now?

xhochy · 2019-11-15T20:20:29Z

Sounds good.

Do you want to work on the two non-resolved comments or should we merge now?

I worked on the comments and this should be ready for merge once CI passes.

betatim · 2019-11-16T06:51:53Z

Thanks a lot for writing down how you did it and the nice PR!

jupyterhub/binderhub#1001

Document automatic HTTPS

ea01ee3